Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks 179
msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success."
Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.
Re:Accidentally, or not? (Score:5, Informative)
Yep. Had BCP38 (Best Current Practice No. 38) [ietf.org] been in effect at those ISP's, this attack would not have occurred.
Re:Accidentally, or not? (Score:4, Informative)
A DNS server has no way of verifying whether the source address is valid. Only the ISP who provides access to the originator of the traffic can do that.
Re:Why are people not being alerted? (Score:4, Informative)
Because the DNS servers are doing nothing wrong.
The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.
All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.
Re:Why are people not being alerted? (Score:4, Informative)
Because the DNS servers are doing nothing wrong.
The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.
All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.
Actually, they are. The feature being leveraged here is that the servers are performing recursive lookups for domains that they do not control for the open Internet; BIND turns this off, by default, starting with version 9.4. The problem is that a lot of 9.3.X and older DNS servers are still out there, as well as a lot of bad network architecture jobs. The servers should only handle recursion for IP addresses that are on the inside. And as for the spoofing? Well, ingress filtering is trivial to do at the border. And these two things in concert shut this problem down entirely.
Re:By Design (Score:2, Informative)